TechSpot

Error 0x80072eff when windowsupdate is attempted

By peterburgess
Dec 13, 2010
  1. 1. Can't access ms windowsupdate page -> network errors
    2. GMER warning about RootKit Activity...
    3. Can't post this message from the funky machine.

    Message (1/2)



    Google search of this error message message lead me to these forums. I've executed the 8 steps of information gathering.

    Quick Summary
    1. Ran avira-antivus: No errors detected
    2. Ran TFC. No errors.
    3. Ran MalwareBytes
    Quick scan> Rogue.thinkpoint file infection. removed
    2 Registry problems: MS a-v notification disabled
    Full scan> Backdoor moveMediaPlayer file infection
    4. Gmer - warning RootKit Activity
    5. DDS

    FULL LOGS:

    ============================================


    Avira AntiVir Personal
    Report file date: Monday, December 13, 2010 10:01

    Scanning for 3141477 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : Peter
    Computer name : SKYROOM

    Version information:
    BUILD.DAT : 10.0.0.607 31826 Bytes 11/30/2010 19:17:00
    AVSCAN.EXE : 10.0.3.5 435368 Bytes 11/30/2010 22:13:17
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 16:57:04
    LUKE.DLL : 10.0.3.2 104296 Bytes 11/30/2010 22:13:24
    LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:05:36
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 23:27:49
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 21:37:42
    VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 20:37:42
    VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 15:29:03
    VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 22:13:29
    VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 22:13:30
    VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 22:13:32
    VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 22:13:34
    VBASE009.VDF : 7.10.13.80 2265600 Bytes 11/2/2010 22:13:35
    VBASE010.VDF : 7.10.13.81 2048 Bytes 11/2/2010 22:13:35
    VBASE011.VDF : 7.10.13.82 2048 Bytes 11/2/2010 22:13:35
    VBASE012.VDF : 7.10.13.83 2048 Bytes 11/2/2010 22:13:35
    VBASE013.VDF : 7.10.13.116 147968 Bytes 11/4/2010 22:13:35
    VBASE014.VDF : 7.10.13.147 146944 Bytes 11/7/2010 22:13:35
    VBASE015.VDF : 7.10.13.180 123904 Bytes 11/9/2010 22:13:36
    VBASE016.VDF : 7.10.13.211 122368 Bytes 11/11/2010 22:13:36
    VBASE017.VDF : 7.10.13.243 147456 Bytes 11/15/2010 22:13:36
    VBASE018.VDF : 7.10.14.15 142848 Bytes 11/17/2010 22:13:36
    VBASE019.VDF : 7.10.14.41 134144 Bytes 11/19/2010 22:13:36
    VBASE020.VDF : 7.10.14.63 128000 Bytes 11/22/2010 22:13:36
    VBASE021.VDF : 7.10.14.87 143872 Bytes 11/24/2010 22:13:36
    VBASE022.VDF : 7.10.14.116 140800 Bytes 11/26/2010 22:13:36
    VBASE023.VDF : 7.10.14.147 150528 Bytes 11/30/2010 22:16:23
    VBASE024.VDF : 7.10.14.175 126464 Bytes 12/3/2010 13:59:21
    VBASE025.VDF : 7.10.14.203 120320 Bytes 12/7/2010 13:59:23
    VBASE026.VDF : 7.10.14.230 137216 Bytes 12/9/2010 13:59:26
    VBASE027.VDF : 7.10.14.231 2048 Bytes 12/9/2010 13:59:27
    VBASE028.VDF : 7.10.14.232 2048 Bytes 12/9/2010 13:59:27
    VBASE029.VDF : 7.10.14.233 2048 Bytes 12/9/2010 13:59:27
    VBASE030.VDF : 7.10.14.234 2048 Bytes 12/9/2010 13:59:27
    VBASE031.VDF : 7.10.15.2 114176 Bytes 12/13/2010 13:59:29
    Engineversion : 8.2.4.122
    AEVDF.DLL : 8.1.2.1 106868 Bytes 11/30/2010 22:13:13
    AESCRIPT.DLL : 8.1.3.48 1286524 Bytes 12/13/2010 14:00:29
    AESCN.DLL : 8.1.7.2 127349 Bytes 11/30/2010 22:13:12
    AESBX.DLL : 8.1.3.2 254324 Bytes 11/30/2010 22:13:12
    AERDL.DLL : 8.1.9.2 635252 Bytes 11/30/2010 22:13:12
    AEPACK.DLL : 8.2.4.1 512375 Bytes 12/13/2010 14:00:20
    AEOFFICE.DLL : 8.1.1.10 201084 Bytes 11/30/2010 22:13:11
    AEHEUR.DLL : 8.1.2.54 3113335 Bytes 12/13/2010 14:00:13
    AEHELP.DLL : 8.1.16.0 246136 Bytes 12/13/2010 13:59:43
    AEGEN.DLL : 8.1.5.0 397685 Bytes 12/13/2010 13:59:41
    AEEMU.DLL : 8.1.3.0 393589 Bytes 11/30/2010 22:13:06
    AECORE.DLL : 8.1.19.0 196984 Bytes 12/13/2010 13:59:37
    AEBB.DLL : 8.1.1.0 53618 Bytes 11/30/2010 22:13:05
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 11/30/2010 22:13:17
    AVPREF.DLL : 10.0.0.0 44904 Bytes 11/30/2010 22:13:16
    AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 18:27:13
    AVREG.DLL : 10.0.3.2 53096 Bytes 11/30/2010 22:13:17
    AVSCPLR.DLL : 10.0.3.2 84328 Bytes 11/30/2010 22:13:17
    AVARKT.DLL : 10.0.22.6 231784 Bytes 11/30/2010 22:13:14
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 11/30/2010 22:13:15
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 18:27:22
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 11/30/2010 22:13:17
    NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 18:27:21
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 17:10:20
    RCTEXT.DLL : 10.0.58.0 97128 Bytes 11/30/2010 22:13:38

    Configuration settings for the scan:
    Jobname.............................: Short system scan after installation
    Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Process scan........................: on
    Scan registry.......................: on
    Search for rootkits.................: off
    Integrity checking of system files..: off
    Scan all files......................: Intelligent file selection
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: Monday, December 13, 2010 10:01

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'avconfig.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'avshadow.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'setup.exe' - '1' Module(s) have been scanned
    Scan process 'msiexec.exe' - '1' Module(s) have been scanned
    Scan process 'presetup.exe' - '1' Module(s) have been scanned
    Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'chrome.exe' - '1' Module(s) have been scanned
    Scan process 'chrome.exe' - '1' Module(s) have been scanned
    Scan process 'chrome.exe' - '1' Module(s) have been scanned
    Scan process 'chrome.exe' - '1' Module(s) have been scanned
    Scan process 'chrome.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'plugin-container.exe' - '1' Module(s) have been scanned
    Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'plugin-container.exe' - '1' Module(s) have been scanned
    Scan process 'firefox.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
    Scan process 'cli.exe' - '1' Module(s) have been scanned
    Scan process 'hpqgpc01.exe' - '1' Module(s) have been scanned
    Scan process 'hpqbam08.exe' - '1' Module(s) have been scanned
    Scan process 'hpqSTE08.exe' - '1' Module(s) have been scanned
    Scan process 'brccMCtl.exe' - '1' Module(s) have been scanned
    Scan process 'sqlmangr.exe' - '1' Module(s) have been scanned
    Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
    Scan process 'DLG.exe' - '1' Module(s) have been scanned
    Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
    Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
    Scan process 'DSAgnt.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'netWaiting.exe' - '1' Module(s) have been scanned
    Scan process 'jusched.exe' - '1' Module(s) have been scanned
    Scan process 'avgtray.exe' - '1' Module(s) have been scanned
    Scan process 'rundll32.exe' - '1' Module(s) have been scanned
    Scan process 'BrMfcWnd.exe' - '1' Module(s) have been scanned
    Scan process 'pptd40nt.exe' - '1' Module(s) have been scanned
    Scan process 'CLI.EXE' - '1' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
    Scan process 'MskAgent.exe' - '1' Module(s) have been scanned
    Scan process 'issch.exe' - '1' Module(s) have been scanned
    Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
    Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned
    Scan process 'stsystra.exe' - '1' Module(s) have been scanned
    Scan process 'quickset.exe' - '1' Module(s) have been scanned
    Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
    Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'BrMfcmon.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mshta.exe' - '1' Module(s) have been scanned
    Scan process 'mcappins.exe' - '1' Module(s) have been scanned
    Scan process 'mghtml.exe' - '1' Module(s) have been scanned
    Scan process 'mcappins.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'hpqgpc01.exe' - '1' Module(s) have been scanned
    Scan process 'hpqbam08.exe' - '1' Module(s) have been scanned
    Scan process 'hpqSTE08.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'iPodService.exe' - '1' Module(s) have been scanned
    Scan process 'cli.exe' - '1' Module(s) have been scanned
    Scan process 'soffice.bin' - '1' Module(s) have been scanned
    Scan process 'soffice.exe' - '1' Module(s) have been scanned
    Scan process 'sqlmangr.exe' - '1' Module(s) have been scanned
    Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
    Scan process 'DLG.exe' - '1' Module(s) have been scanned
    Scan process 'DSAgnt.exe' - '1' Module(s) have been scanned
    Scan process 'brccMCtl.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'netWaiting.exe' - '1' Module(s) have been scanned
    Scan process 'jusched.exe' - '1' Module(s) have been scanned
    Scan process 'avgtray.exe' - '1' Module(s) have been scanned
    Scan process 'rundll32.exe' - '1' Module(s) have been scanned
    Scan process 'BrMfcWnd.exe' - '1' Module(s) have been scanned
    Scan process 'pptd40nt.exe' - '1' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
    Scan process 'MskAgent.exe' - '1' Module(s) have been scanned
    Scan process 'issch.exe' - '1' Module(s) have been scanned
    Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
    Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
    Scan process 'stsystra.exe' - '1' Module(s) have been scanned
    Scan process 'WLTRAY.exe' - '1' Module(s) have been scanned
    Scan process 'quickset.exe' - '1' Module(s) have been scanned
    Scan process 'CLI.EXE' - '1' Module(s) have been scanned
    Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'NICCONFIGSVC.exe' - '1' Module(s) have been scanned
    Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
    Scan process 'java.exe' - '1' Module(s) have been scanned
    Scan process 'MDM.EXE' - '1' Module(s) have been scanned
    Scan process 'avgnsx.exe' - '1' Module(s) have been scanned
    Scan process 'LinksysUpdater.exe' - '1' Module(s) have been scanned
    Scan process 'jqs.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'SAgent2.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'avgwdsvc.exe' - '1' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'bcmwltry.exe' - '1' Module(s) have been scanned
    Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'avgcsrvx.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'avgrsx.exe' - '1' Module(s) have been scanned
    Scan process 'avgchsvx.exe' - '1' Module(s) have been scanned
    Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!
    Master boot sector HD1
    [INFO] No virus was found!

    Start scanning boot sectors:

    Starting to scan executable files (registry).
    The registry was scanned ( '1792' files ).



    End of the scan: Monday, December 13, 2010 10:04
    Used time: 02:38 Minute(s)

    The scan has been done completely.

    0 Scanned directories
    2371 Files were scanned
    0 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    0 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    2371 Files not concerned
    5 Archives were scanned
    0 Warnings
    0 Notes
    ==================================
    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5306

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/13/2010 10:51:40 AM
    mbam-log-2010-12-13 (10-51-40).txt

    Scan type: Quick scan
    Objects scanned: 175970
    Time elapsed: 13 minute(s), 14 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Kendra\start menu\Programs\thinkpoint.lnk (Rogue.ThinkPoint) -> Quarantined and deleted successfully.
    ==============================================================
    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5306

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/13/2010 12:42:00 PM
    mbam-log-2010-12-13 (12-42-00).txt

    Scan type: Full scan (C:\|D:\|E:\|)
    Objects scanned: 255880
    Time elapsed: 1 hour(s), 40 minute(s), 47 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Kendra\application data\move networks\movemediaplayer_07103010.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    ===============================================


    GMER

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-13 13:06:26
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS541680J9SA00 rev.SB2OC74P
    Running: jmrxk608.exe; Driver: C:\DOCUME~1\Peter\LOCALS~1\Temp\uxddypog.sys


    ---- System - GMER 1.0.15 ----

    SSDT B0AAD22E ZwCreateKey
    SSDT B0AAD224 ZwCreateThread
    SSDT B0AAD233 ZwDeleteKey
    SSDT B0AAD23D ZwDeleteValueKey
    SSDT B0AAD242 ZwLoadKey
    SSDT B0AAD210 ZwOpenProcess
    SSDT B0AAD215 ZwOpenThread
    SSDT B0AAD24C ZwReplaceKey
    SSDT B0AAD247 ZwRestoreKey
    SSDT B0AAD238 ZwSetValueKey

    ---- Kernel code sections - GMER 1.0.15 ----

    ? xywcw.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CC000A
    .text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CD000A
    .text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CB000C
    .text C:\WINDOWS\System32\svchost.exe[1128] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01BB000A
    .text C:\WINDOWS\System32\svchost.exe[1128] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EA000A
    .text C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe[2344] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 0042E060 C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (Hitman Pro 3.5/SurfRight B.V.)
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED1A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED8B
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEB9
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\WINDOWS\Explorer.EXE[3116] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0185000A
    .text C:\WINDOWS\Explorer.EXE[3116] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0186000A
    .text C:\WINDOWS\Explorer.EXE[3116] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0184000C
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED1A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED8B
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEB9
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3608] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED1A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED8B
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEB9
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 17, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[5440] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2748] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00300010
    IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3608] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00300010
    IAT C:\Program Files\Google\Chrome\Application\chrome.exe[5440] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00300010

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85312292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85312292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 85312292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 85312292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-12 85312292

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \FileSystem\Fastfat \Fat AB3B1D20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS541680J9SA00_________________SB2OC74P#5&24cbc6ab&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016383a37f0
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016383a37f0 (not active ControlSet)
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Deskjet D4300 series (Copy 1)@ChangeID 555625

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 156301232 (+255): rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----
    ============================
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================================

    All logs have to be pasted, so please unzip Attach.txt and paste it into your next reply.
    Provide also DDS.txt log

    =====================================================================

    Then....

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...